Content deleted Content added
OAEP is always IND-CPA2 |
m using wiki references |
||
Line 1:
In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding (cryptography)|padding scheme]] often used together with [[RSA|RSA encryption]]. OAEP was introduced by Bellare and Rogaway.<ref>
[[Mihir Bellare|M. Bellare]], [[Phillip Rogaway|P. Rogaway]]. ''Optimal Asymmetric Encryption -- How to encrypt with RSA''. Extended abstract in Advances in Cryptology - [[Eurocrypt]] '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, [[Springer-Verlag]], 1995. [http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf full version (pdf)]</ref> The OAEP algorithm is a form of [[feistel network]] which uses a pair of [[random oracle]]s G and H to process the plaintext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function|trapdoor one-way permutation]] <math>f</math>, this processing is proved in the [[random oracle model]] to result in a combined scheme which is [[semantic security|semantically secure]] under [[chosen plaintext attack]] (IND-CPA). When implemented with certain trapdoor permutations (e.g., RSA), OAEP is also proved secure against [[chosen ciphertext attack]]. Some evidence suggests that security of RSA-OAEP cannot be proved in the standard model (i.e., without random oracles) based on the [[RSA problem]]. OAEP satisfies the following two goals:
Line 6 ⟶ 9:
#Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the [[trapdoor one-way function|trapdoor one-way permutation]] <math>f</math>.
The original version of OAEP (Bellare/Rogaway, 1994) claimed a form of "[[plaintext-aware encryption|plaintext awareness]]" (that implies security against [[chosen ciphertext attack]]) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this result, showing the OAEP was only IND-CPA2 secure. However, the original scheme was proved in the [[random oracle model]] to be secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP.
An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by [[Victor Shoup]] to solve this problem.<ref>
More recent work has shown that in the standard model (that is, when hash functions are not modelled as random oracles), that it is impossible to prove the IND-CCA2 security of RSA-OAEP under the assumed hardness of the RSA problem. <ref>
==References==
<references/>
▲*D. Brown, [http://eprint.iacr.org/2006/223 ''Unprovable Security of RSA-OAEP in the Standard Model''], IACR ePrint 2006/233.
▲*Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and [[Jacques Stern]]. ''RSA-- OAEP is secure under the RSA assumption''. In J. Kilian, ed., Advances in Cryptology -- [[CRYPTO]] 2001, vol. 2139 of Lecture Notes in Computer Science, SpringerVerlag, 2001. [http://eprint.iacr.org/2000/061.pdf full version (pdf)]
▲*P. Paillier and J. Villar, ''Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption'', Advances in Cryptology -- [[Asiacrypt]] 2006.
▲*Victor Shoup. ''OAEP Reconsidered''. IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland. September 18, 2001. [http://www.shoup.net/papers/oaep.pdf full version (pdf)]
[[Category:Asymmetric-key cryptosystems]]
| |||